URM Stores investigation ending; ripple effects continue

Credit unions increase fraud monitoring in wake of attack

Spokane Teachers Credit Union card-services manager Russell Palmer says recent breaches have had less of an effect on STCU members because of lessons learned from past events.

Spokane wholesaler URM Stores Inc. announced recently that it’s nearing the end of its investigation into the cyber-attacks last fall that compromised an unknown number of debit and credit cards, but some aftereffects of that breach still are being felt here.

In a Jan. 30 news release, URM included a list of the stores that were affected by the attack, which involved debit and credit cards used in the stores from Sept. 1 to Nov. 24. The list showed a total of 67 grocery stores, or about 40 percent of the more than 160 stores URM serves in Washington, Idaho, Oregon, and Montana. Of those listed, one is in Spokane, and three are in Spokane Valley.

The company announced on Nov. 25 that it had found signs of a criminal attack against its payment processing systems and recommended that its stores accept only cash and checks. URM said in its release that it engaged a computer security firm to investigate at that time. The FBI and the U.S. Secret Service also became involved in the investigation.

URM CEO Ray Sprinkle declines to comment beyond the press release on the current status of the resolution, citing the federal investigation. Jeffrey Bell, a partner at Gallatin Public Affairs, a 20-year-old regional crisis communications and public affairs consulting firm retained by URM, also declines to comment because of the open investigation.

URM is a supermarket-owned cooperative that offers wholesale grocery distribution and other support services, including payment processing systems. URM owns Rosauers, and its member-owners include Yoke’s Fresh Market, Super 1 Foods, Family Foods, CenterPlace Market, and Trading Company stores.

In the Jan. 30 release, URM said it believes that for most of the compromised transactions, the hackers were able to obtain what’s known as track 2 data, which is the card number, expiration date, and security code. In a small number of transactions, hackers might have gathered track 1 data, which includes the track 2 data and the cardholder’s name. The release states that no addresses, phone numbers, or Social Security numbers were compromised.

John Bole, CEO for Yoke’s Fresh Market, also declined to comment directly on the URM breach because of the investigation, but he notes that the issue of credit card security and how to improve it is drawing considerable attention nationally.

“There are initiatives at the national level to enhance the security of credit cards,” he says. “I’m interested in seeing how those develop.”

On Feb. 3, the U.S. Senate subcommittee on national security and international trade and finance met in an open session for a hearing on safeguarding consumers’ financial data. Prior to the hearing, the American Bankers Association released information with tips for consumers to avoid fraud, including monitoring accounts online, avoiding phishing scams, and monitoring credit reports.

Bole says he believes it’s also important for people to realize that even while companies are doing the best they can to ensure the security of their shoppers, “nothing is absolutely safe.”

Lynn Heider, spokeswoman for the Federal Way-based Northwest Credit Union Association, says that organization is aware of the URM attack, and is monitoring the situation through the credit unions here.

“We’re in constant conversation with our members in Spokane, so we’re aware there was some impact,” she says.

Heider also says that events like the URM breach and a recent Target Corp. breach, which affected consumers throughout the U.S., are extremely costly for banks and credit unions.

“It’s important for people to understand how expensive this is for credit unions,” she says. “But also, how quickly the credit union will respond to protect their members. First and foremost, they’ve invested in a lot of technology and have trained staff to monitor for suspicious activity.”

The Credit Union National Association (CUNA) is collecting data nationally from credit unions that were affected by the Target breach, Heider says, to hopefully better protect consumers in the future. At this time, she says, there isn’t a plan to do the same for the URM breach.

The NWCUA recently released information from the survey showing that credit unions in Washington and Oregon have incurred expenses totaling more than $1.3 million in connection with the Target breach.

Heider says that’s based on a charge of $5.10 for every card replaced, which is a national average derived from data gathered by CUNA.

“Part of it is the cost of the actual plastic, some of it is staff expenses, and a lot of credit unions immediately expanded their call service hours,” she says.

In the wake of the two data breaches, Heider says some credit unions are stepping up their fraud monitoring. Gesa Credit Union, of Tri-Cities, introduced a new mobile application called the Gesa Alerts App. The app monitors a user’s accounts and sends alerts for certain events, such as foreign purchases, transactions at gas stations and convenience stores, threshold alerts, and card-not-present alerts.

Locally, Renee Robertson, vice president of finance for PrimeSource Credit Union, says that institution pays from $6 to $7 for every card it replaces. That doesn’t include a communication fee the credit union has to pay when it puts in an order for new cards, she says. Credit union members aren’t charged for replacing cards that have been exposed to potential fraudulent use, she says.

“Clients do not have to pay for the new card; we don’t have our members pay for anything for data breach or fraud,” she says. “It’s not their fault.”

Robertson says that PrimeSource had well over 300 cards compromised by the URM data breach. She says the credit union immediately notified its members once the data breach was detected and issued the new cards.

Robertson says that after the attack, PrimeSource locked certain types of merchants into pin-only status, meaning the customer must enter their pin number when using a card at those merchants. Robertson says the locked merchants are the kind of places where fraudulent users will test stolen information.

“We also increased the number of transactions that were actively going through eNFACT, a fraud-tracking software,” she says.

The fraud software monitors accounts and compares transactions to the account’s history in order to detect fraudulent charges. Robertson says the software examines the place of the transaction, the type and amount of transaction, and the type of merchant, among other data.

“We went from scanning approximately a quarter to a third of transactions, to now we are scanning approximately 75 percent,” she says. “We’re not scanning things like $5 at Starbucks. But say you’ve never ordered anything online, and then all of a sudden you’ve got two or three online charges. It’s going to pop out a fraud alert, and then we call the customer.”

Russell Palmer, card services manager for Liberty Lake-based Spokane Teachers Credit Union, says that institution doesn’t have any figures on how many of its members were affected by the URM data breach.

STCU spokesman Dan Hansen says that the number of cards affected by the URM and Target breaches is more than any the institution has seen in the past. Hansen also says the dollar amount of fraud per impacted card is less than in previous breaches.

Palmer says that STCU learned from past data breaches, and because of the fraud monitoring it has in place, it felt less of an effect from this attack.

STCU monitors members’ accounts for suspicious activity by looking at abnormalities in spending patterns, Palmer says. It’s in the process of implementing two new fraud prevention tools, neither of which is a result of the URM breach, he says.

The first change will involve adding what’s known as Europay, MasterCard, and Visa chip card technology, or EMV. Hanson says many retail and financial institutions are shifting to EMV cards, which have a microprocessor chip embedded in them that contains authentication for the card’s use. Unlike cards that only have a magnetic strip, the EMV chip contains a transaction-unique signature that proves its authenticity and prevents hackers from being able to get data from the card.

Also, STCU is offering a feature for Visa users called V.me, an online application that enables users to customize alerts for their card to help monitor potential fraud.

Katie Ross

Reporter Katie Ross covers manufacturing, hospitality, and government at the Journal of Business. An outdoor enthusiast and snowboard fanatic, Katie is a recent graduate of Gonzaga University.